2019 ECSM: Securing emerging technology (IoT) at home

The second topic of the 2019 European Cyber Security Month is “Emerging Technology.” We address IoT devices (Internet of Things) at your home.

In this article, we briefly discuss several problems with IoT devices and ways to secure them.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

IoT is everywhere

Dozens of IoT devices exist for private users and consumers nowadays. Examples are:

  • Air conditioners
  • Bluetooth trackers
  • Carbon monoxide monitors
  • Cookers
  • Digital scales
  • Fridges
  • Garage controls
  • Heating controls
  • IP cameras
  • Sensors (light, wind, rain)
  • Smart locks
  • Smart speakers
  • Smart sockets
  • Sprinklers
  • Toothbrushes
  • Vents
  • Voice assistants
  • Washing machines

IoT means these devices are somehow connected to your network. The devices may either directly connect to the internet via your router or indirectly via your smartphone or even via other devices. Some devices rely on Bluetooth while others use WiFi for connectivity.

These devices run firmware that might contain security vulnerabilities. In the worst case, attackers might be able to exploit these security vulnerabilities to attack the IoT device itself or other devices on your home network.

An example of insecure IoT devices

A common example of insecure IoT devices is an IP camera. IP cameras are connected to the internet so that you can access their camera feed everywhere. However, the configuration of many IP cameras is insecure, exposing the device to third parties. See our articles on unmaintained IP cameras.

We want to share the following screenshot as an example. The screenshot shows the configuration page of a publicly-exposed Mobotix camera. IP cameras may additionally leak your WiFi password and other sensitive information.

An image showing the settings of an exposed camera.
This is the configuration page of a publicly-exposed Mobotix camera. Other cameras may leak your WiFi password and further sensitive information. (🔍 Zoom in)

If you closely look at the screenshot, you see this camera runs the Mobotix firmware MX-V4.0.4.28, released on November 25, 2011. The firmware of this IoT device is nearly eight years old. In October 2019, the current version is MX-V4.7.2.21, released on June 6, 2019. Numerous updates contain important security fixes for the camera; however, the owner never deployed these crucial patches.

Whose fault is that? Is the manufacturer of the device responsible for updating the device? Or is the private owner responsible? No easy answer exists. Keep in mind information security is a shared responsibility.

Ways to secure your IoT devices

We share eight tips to secure your IoT devices:

  1. Create an asset inventory: Manufacturers of IoT devices want to make their devices easy-to-use for customers. Devices might automatically connect to the internet without additional configuration. You need to identify how devices connect to the internet and your network. Do they use WiFi, Bluetooth, or special IoT protocols? Is the network traffic protected?
  2. Use your router as a guard: Your router may be the central gateway to the internet for your IoT devices. Use your router to control and monitor your network traffic. Check our special Home network security. If you can’t use your router for this, consider deploying a dedicated network firewall.
  3. Update firmware of your IoT devices: Update the firmware of all your devices frequently. Updating the firmware might not be possible for every IoT device. Enable “automatic updates” if available.
  4. Set strong credentials instead of default ones: IoT devices may come with preconfigured factory passwords. These default credentials may be documented in user manuals, so attackers and scripts can easily check for such default configuration. Go to your device’s settings, and change its password. If you don’t know about managing credentials, check our article on modern credential management. Configure strong passwords for all devices.
  5. Check security and privacy settings: Check the security and privacy settings of every device. Devices may allow enabling HTTPS for transport encryption. Use built-in security features and understand their purpose.
  6. Disable features (and IoT devices) you do not need: Go to your device’s settings and carefully check their features. Disable features you never use (e.g., Bluetooth). If unnecessary features can’t be disabled, consider blocking them at the network level using your router or a dedicated network firewall.
  7. Be aware of data in the cloud: IoT devices may upload your data to “the cloud.” Disable such features if you don’t need them.
  8. Read news feeds: Regular check news feeds to learn about newly-discovered security vulnerabilities. Act accordingly.

As an advanced, tech-savvy user, you can create dedicated virtual LANs (VLAN) for your IoT devices to isolate their network traffic. Use network scanners like nmap to identify open ports and services on your home network.

Summary

IoT devices are everywhere nowadays. Becoming aware of these devices in your home network is crucial. Many people don’t realize that their IoT devices might be exposed to the internet. Secure your devices accordingly.